EC2 token requests contain a signature that signs the entire request,
including the access timestamp. While the signature is checked, the
timestamp is not, and so these signed requests remain valid
indefinitely, leaving the token API vulnerable to replay attacks. This
change introduces a configurable TTL for signed token requests and
ensures that the timestamp is actually validated against it.
The check will work for either an AWS Signature v1/v2 'Timestamp'
parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
parameter[2].
Although this technically adds a new feature and the default value of
the feature changes behavior, this change is required to protect
credential holders and therefore must be backported to all supported
branches.
Conflicts due to six removal in e2d83ae9: keystone/api/_shared/EC2_S3_Resource.py keystone/tests/unit/test_contrib_ec2_core.py
Conflicts due to v2.0 API testing in stable/queens. The v2.0 tests were
removed in Rocky but in earlier releases we tested similar functionality
between v3 and v2.0. This conflict was resolved by porting the timestamp
to the v2.0 API test: keystone/tests/unit/test_contrib_ec2_core.py
Conflicts due to flask reorg: keystone/api/_shared/EC2_S3_Resource.py
Change-Id: Idb10267338b4204b435df233c636046a1ce5711f
Closes-bug: #1872737
(cherry picked from commit ab89ea749013e7f2c46260f68504f5687763e019)
(cherry picked from commit 8d5becbe4b463f6a5a24a1929dd0f48dab6ae027)
(cherry picked from commit e3f65d6fbcd18032a8ad3dfa3aaded264a282158)
(cherry picked from commit 1ef3828516c1b87a8ca84acca73ec593b0b8591d)
(cherry picked from commit 35f09e2b7c00e03cd1d52a2337b51be38dd79480)
(cherry picked from commit d6f1006dd0ca8f7999f32133d348fcec8f2299d3)
Reviewed: https:/ /review. opendev. org/726025 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=1c1cf556f81 058a63ea0bd5138 540b0e6795f7a0
Committed: https:/
Submitter: Zuul
Branch: stable/pike
commit 1c1cf556f81058a 63ea0bd5138540b 0e6795f7a0
Author: Colleen Murphy <email address hidden>
Date: Thu Apr 16 17:05:43 2020 -0700
Check timestamp of signed EC2 token request
EC2 token requests contain a signature that signs the entire request,
including the access timestamp. While the signature is checked, the
timestamp is not, and so these signed requests remain valid
indefinitely, leaving the token API vulnerable to replay attacks. This
change introduces a configurable TTL for signed token requests and
ensures that the timestamp is actually validated against it.
The check will work for either an AWS Signature v1/v2 'Timestamp'
parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
parameter[2].
Although this technically adds a new feature and the default value of
the feature changes behavior, this change is required to protect
credential holders and therefore must be backported to all supported
branches.
[1] https:/ /docs.aws. amazon. com/general/ latest/ gr/signature- version- 2.html /docs.aws. amazon. com/general/ latest/ gr/sigv4- date-handling. html
[2] https:/
Conflicts due to six removal in e2d83ae9:
keystone/ api/_shared/ EC2_S3_ Resource. py
keystone/ tests/unit/ test_contrib_ ec2_core. py
Conflicts due to v2.0 API testing in stable/queens. The v2.0 tests were
keystone/ tests/unit/ test_contrib_ ec2_core. py
removed in Rocky but in earlier releases we tested similar functionality
between v3 and v2.0. This conflict was resolved by porting the timestamp
to the v2.0 API test:
Conflicts due to flask reorg:
keystone/ api/_shared/ EC2_S3_ Resource. py
Change-Id: Idb10267338b420 4b435df233c6360 46a1ce5711f 2c46260f68504f5 687763e019) a5a24a1929dd0f4 8dab6ae027) 2a8ad3dfa3aaded 264a282158) a8ca84acca73ec5 93b0b8591d) cd1d52a2337b51b e38dd79480) 999f32133d348fc ec8f2299d3)
Closes-bug: #1872737
(cherry picked from commit ab89ea749013e7f
(cherry picked from commit 8d5becbe4b463f6
(cherry picked from commit e3f65d6fbcd1803
(cherry picked from commit 1ef3828516c1b87
(cherry picked from commit 35f09e2b7c00e03
(cherry picked from commit d6f1006dd0ca8f7